BOVPN Virtual Interface for Dynamic Routing to Amazon Web Services (AWS)

You can configure a VPN connection between your Firebox and Amazon Web Services (AWS). For example, you might configure a VPN so that hosts on your local network can securely connect to resources on your Amazon Virtual Private Cloud (VPC).

For VPN connections to AWS, we recommend that you configure a BOVPN virtual interface on the Firebox instead of a BOVPN. You can use static or dynamic routing.

In this example, we show a VPN configuration with:

  • Dynamic BGP routing
  • One Firebox external physical interface
  • Two Firebox BOVPN virtual interfaces
  • One AWS gateway with two IP addresses for failover

AWS does not support OSPF.

Configure AWS

An AWS VPN configuration includes one virtual private gateway with two external IP addresses for redundancy. AWS automatically determines which IP address is the primary IP address.

Failover between the external IP addresses is enabled by default. If the primary AWS external IP address is unavailable, VPN traffic automatically fails over to the other AWS external IP address.

For detailed instructions about how to configure the AWS VPN settings, go to the Amazon Virtual Private Cloud User Guide.

Download the AWS Configuration File

Before you configure the Firebox, download the configuration file from your AWS account:

  1. Log in to the AWS Management Console at
  2. Click to expand All Services.
  3. In the Networking & Content Delivery section, click VPC.
  4. From the navigation menu, in the Virtual Private Network section, click Site-to-Site VPN Connections.
  5. Select the box for the connection.
  6. Click Download Configuration.
  7. From the Vendor drop-down list, select WatchGuard, Inc.
  8. From the Software drop-down list, select Fireware OS 11.12.2 +.
  9. Click Download.
    A .txt file downloads to your desktop.
  10. Open the .txt file in a text editor.

Find the AWS Pre-Shared Keys and IP Addresses

The .txt configuration file contains the pre-shared keys, gateway IP addresses for AWS Tunnel 1 and Tunnel 2, and routes to the trusted (private) network of your AWS VPC.

You can also find the IP addresses in your AWS configuration:

  • For the gateway IP addresses, select Virtual Private Network > Site-to-Site VPN Connections > [name].
  • For the routes, select Virtual Private Cloud > Subnets or Virtual Private Cloud > Route Tables.

For this example, the AWS configuration uses these IP addresses:

  • Customer Gateway Address203.0.113.2 (external interface on the Firebox )
  • VPN Connections:
    • Tunnel 1 — (first IP address of the AWS virtual private gateway)
    • Tunnel 2192.0.2.2 (second IP address of the AWS virtual private gateway)
  • Static Route10.0.1.0/24 (trusted network of the Firebox)

Configure the Firebox

For this example, the Firebox has one external interface and one trusted network:

Interface Type Name IP Address
0 External External
1 Trusted Trusted

Add the BOVPN Virtual Interfaces

To configure a redundant gateway that uses both AWS external IP addresses, you must configure two BOVPN virtual interfaces.

Configure the Virtual Interface IP Address and Netmask

Configure the Phase 1 and Phase 2 Settings

During VPN negotiations, AWS identifies the authentication and encryption algorithm settings from the Firebox. If AWS supports the settings, AWS automatically uses the same settings. AWS supports specific proposals. You cannot edit the AWS configuration to specify different proposals.

In Fireware v12.10 and higher, Fireware supports Diffie-Hellman Group 21.

Specify BGP Commands

The AWS BGP ASN and the virtual IP address (the BGP peer address) are defined by AWS and cannot be changed.

Related Topics

BOVPN Virtual Interface for Static Routing to Amazon Web Services (AWS)